Adobe Reader, Acrobat Patch Set to Come out This Week

With exploits going around the Web, Adobe is preparing to release the first round of patches for a zero-day vulnerability affecting its Adobe Reader and Adobe Acrobat products. Wednesday's patches will be for version 9 of Reader and Acrobat, with patches for earlier editions coming next week.

With new exploits circulating, Adobe is still on schedule to
release a patch Wednesday for a well-publicized zero-day
vulnerability affecting Adobe Acrobat and Reader.
The patch will be for version 9 of Acrobat and Reader; patches for 7
and 8 of both products will be coming March 18. Users should move
quickly to deploy the fix, which comes on the heels of security blogger Didier Stevens' discovery
of an exploit that works without tricking the user into opening a
malicious file. The exploit works by leveraging the Windows Explorer
Shell Extension in Adobe Reader.

Stevens posted a proof-of-concept for his creation online.

"Under the right circumstances, a Windows Explorer Shell Extension
will read the PDF document to provide extra information, and in doing
so, it will execute the buggy code and trigger the vulnerability," he
blogged. "Just like it would when you would explicitly open the
document."
Stevens' code is just the latest example of exploits targeting the
bug, which researchers believe has been under attack for since at least
January. The vulnerability itself is due to an array indexing error in
the processing of JBIG2 streams, and can be exploited with a specially
crafted PDF file to corrupt arbitrary memory and allow an attacker to
take control of a compromised system.
The existence of the vulnerability did not become widely known until
February, however, when researchers at the Shadowserver Foundation
posted about it on a blog. Though initial reports indicated disabling
JavaScript would solve the issue, it in fact only addressed certain
exploits and did not address the underlying vulnerability. In the
aftermath, security pros offered a variety of advice on mitigation,
some of which is listed here.
Though Adobe has taken some flack for its handling of the situation, officials at the company recently defended their actions.
"We take security, including this specific issue, very seriously and
are committed to protecting users of our products and technologies," a
spokesperson at Adobe told eWEEK. "We can confirm that the
vulnerability affects all platforms for Adobe Reader and Acrobat, as
mentioned in our Security Advisory, and that we have listed the
vulnerability with a critical rating on all platforms for the products."